{"id":"ASB-A-265293293","details":"In updatePictureInPictureMode of ActivityRecord.java, there is a possible bypass of background launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-265293293","CVE-2023-21145"],"modified":"2026-05-15T15:01:37.959123Z","published":"2023-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/44aeef1b82ecf21187d4903c9e3666a118bdeaf3"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-07-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-07-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-265293293-0cfbc7f2","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java","function":"updatePictureInPictureMode"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"function_hash":"84463906349357637457593819849224613900","length":429},"signature_type":"Function"},{"deprecated":false,"id":"ASB-A-265293293-3b846db4","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["38811885578589579865256225484930353749","182937806377545620401941566465606663173","50687391986007160311991249772947348109","19085090832050058609389267391752865303"]},"signature_type":"Line"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-265293293.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-07-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-07-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-265293293-047a6d7d","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java","function":"updatePictureInPictureMode"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"function_hash":"84463906349357637457593819849224613900","length":429},"signature_type":"Function"},{"deprecated":false,"id":"ASB-A-265293293-3fb8d3fe","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["38811885578589579865256225484930353749","182937806377545620401941566465606663173","50687391986007160311991249772947348109","19085090832050058609389267391752865303"]},"signature_type":"Line"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-265293293.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-07-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-07-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-265293293-36bf829f","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["38811885578589579865256225484930353749","182937806377545620401941566465606663173","50687391986007160311991249772947348109","19085090832050058609389267391752865303"]},"signature_type":"Line"},{"deprecated":false,"id":"ASB-A-265293293-d6c25797","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java","function":"updatePictureInPictureMode"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"function_hash":"84463906349357637457593819849224613900","length":429},"signature_type":"Function"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-265293293.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-07-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-265293293-4318acab","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["38811885578589579865256225484930353749","182937806377545620401941566465606663173","50687391986007160311991249772947348109","19085090832050058609389267391752865303"]},"signature_type":"Line"},{"deprecated":false,"id":"ASB-A-265293293-5ab22b4c","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java","function":"updatePictureInPictureMode"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"function_hash":"84463906349357637457593819849224613900","length":429},"signature_type":"Function"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-265293293.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-07-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-07-01","vanir_signatures":[{"deprecated":false,"id":"ASB-A-265293293-2ee0aa9f","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["38811885578589579865256225484930353749","182937806377545620401941566465606663173","50687391986007160311991249772947348109","19085090832050058609389267391752865303"]},"signature_type":"Line"},{"deprecated":false,"id":"ASB-A-265293293-b815f286","target":{"file":"services/core/java/com/android/server/wm/ActivityRecord.java","function":"updatePictureInPictureMode"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21","signature_version":"v1","digest":{"function_hash":"84463906349357637457593819849224613900","length":429},"signature_type":"Function"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4fad1456409b79d6e649a29d5116a4fe3160bd21"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-265293293.json"}}],"schema_version":"1.7.5"}